Not All Those Who Wander Are Lost: Dynamic Epistemic ... · 560 Not All Those Who Wander Are Lost: Dynamic Epistemic Reasoning in Navigation Sometimes, it is more important to reach

Not All Those Who Wander Are Lost:Dynamic Epistemic Reasoning in Navigation

Yanjing Wang Yanjun Li

Department of PhilosophyPeking University

{y.wang,lyj2010}@pku.edu.cn

Abstract

In everyday life, people get lost even when they have the map: they simply may notknow where they are in the map. However, when moving forward they may havenew observations which can help to locate themselves by reasoning. In this paper,we propose and develop a semantic-driven dynamic epistemic framework to handleepistemic reasoning in such navigation scenarios. Our framework can be viewed as acareful blend of dynamic epistemic logic and epistemic temporal logic, thus enjoyingfeatures from both frameworks. We made an in-depth study on many model theor-etical aspects of the proposed framework and provide a complete axiomatization.

Keywords: dynamic epistemic logic, epistemic temporal logic, navigation, planning

1 Introduction

1.1 Motivation

Have you ever been lost with a map? Almost everyone had such an experienceas a tourist in an unfamiliar city: even when you have the map of the city, it issometimes still hard to figure out where you are exactly and how to reach yourdestination. There are typical cases when you just cannot find the street name,or you are on a long long street with a lot of turns (welcome to Amsterdam!).In such scenarios, a little bit of wandering and reasoning may help:

This circular street along the canal is called Prinsengracht, but I am not surewhether I am at place A or B. Let me walk a bit further. Now I see that I canturn left but according to the map if I were at B I would not be able to turnleft so soon. Thus I must have been A. Now I know my way to Leidseplein.

In the above reasoning process, the important elements are: the map, theuncertainties about your location and your observations of the current availableactions. We reason by matching the actual available moves with the moves atthe possible current locations according to the map.

1 The main title is taken from the poem All that is gold does not glitter by J.R.R. Tolkien.

560 Not All Those Who Wander Are Lost: Dynamic Epistemic Reasoning in Navigation

Sometimes, it is more important to reach your destination than locatingyourself exactly. In the Mission Impossible-like films, the secret agent sneakingin an enemy building is usually guided by his headquarters (often a geek sittingbehind a laptop). However, the communication with the HQ will almost alwaysbe lost at some point for some reason. Finally the agent has to find his ownway. Suppose the agent has the following floor plan with safety zones marked(though there are no special signs at those places), but does not know whetherhe is currently at s2 or at s3 (denoted by the dashed line):

s7 s6loo s8:Safe s9:Safe

s1 r // s2 r //

u

OO

s3 r //

u

OO

s4:Safe r //

u

OO

s5

Now suppose that the agent is actually at s3 (the underlined state) and hecan only observe the available moves at his current location, e.g., at s3 heonly observes that he may move right (r) or move up (u). Let us consider thefollowing scenarios:

• Knowing the actual location of the agent, the HQ may guide the agent tomove right (do r) to a safe place (s4). However, merely following the com-mand, the agent may not know that he is safe after doing r, since if he were ats2, doing r would get him to an unsafe place s3, but s3 and s4 share exactlythe same available moves (r and u), thus he cannot distinguish them.

• The HQ may alternatively guide the agent to move up (u) to s8. Thistime the agent should know that he is safe: he sees that he cannot move anyfurther, however, if he were at s2 initially and thus at s6 after moving u, thenhe would be able to move left which contradicts his current observations.

• Suppose the communication with the HQ is lost, the agent may make hisown plan as follows: he knows that no matter where exactly he is right now,moving first r and then u will make sure that he is safe, although afterwardshe will still not know where he is exactly.

In this paper, we formalize the epistemic reasoning behind such scenarios byproposing a semantic-driven dynamic epistemic logical framework with the fol-lowing real life applications in mind as the long term goals:

• Global navigation: given the map with uncertainties and the actual locationof a subject (human or robot), navigate it to guarantee certain (epistemic)goals, e.g., transport the prisoners to a safe place without letting them knowwhere they are.

• Local navigation: given only the map with uncertainties of the current loc-ation of a subject, let the subject navigate itself to guarantee certain (epi-stemic) goals, e.g., the robot should plan its own way in an endangerednuclear power plant to make sure it “knows” that it will reach all the criticalmachines that need to be shut down.

Wang and Li 561

1.2 Related work

Related Work Dynamic epistemic logics (DEL) are designed to handle know-ledge updates caused by events (cf. e.g, [20,1,24]). Arguably the most generalframework of DEL is the one using event models proposed in [2]. It is naturalto apply the existing techniques of DEL with event models in the navigationsetting which is also about knowledge updates after actions. However, as wewill show in the later part of the paper, the standard event model approach(even extended with protocols as in [21,11]) is not suitable to handle epistemicreasoning in such scenarios. On the other hand, algebraic approaches inspiredby DEL have been proposed to model the robot navigation in [17,18,10]. Des-pite the apparent differences in frameworks (algebra vs. logic), we depart fromthis series of works in the way of handling the map information and actions.In [17,18,10], the nodes of the map are encoded by basic propositions and thusthe moves in the map are taken to be actions that change the truth value ofbasic propositions (encodings of the current position). In our semantic-drivenapproach, we simply take the maps with uncertainties as models and movingin a map does not change the truth values of any basic propositions but thecurrent position and epistemic uncertainties. Instead of the theorem provingin the algebraic approach we can model check a rich class of desired propertiesexpressed by a natural yet simple logic language, which can be fully automated.

Another usual framework for reasoning about knowledge and developmentsof a system is the epistemic temporal logic (ETL) proposed in [7,19]. Essentially,ETL and DEL are instances of two-dimensional modal logic, which is also used inother multi-agent systems (cf. e.g. [16,14]). Efforts have been made to mergethe frameworks of ETL and DEL [21,11]. Our approach can also be viewed asa careful blend of ETL and DEL in the sense that the temporal development isexplicitly encoded in the map as in ETL but the epistemic developments arecomputed in spirit of DEL.

The planning problem with uncertainties and non-deterministic actions(conformant planning) are well-studied in Artificial Intelligence (cf. e.g., [8]),since it was raised in [15]. Our models are similar to the belief spaces usedin solving such planning problems (cf. e.g., [4]). The focus there, however, ison the algorithms and heuristics to the planning problem while we would liketo present a semantics-driven logic for reasoning about knowledge, which alsodiffers from the situation calculus based logical planning approaches such as[13]. We hope to encode various planning problems by model checking prob-lems in the extensions of our framework, which we leave for further occasions. 2

The technical contributions and the structure of the paper are summarizedas follows:

• In Section 2, we propose a dynamic epistemic framework on maps with un-

2 The connections to belief space planning was suggested to us by Prof. Bernhard Nebel,Dr. Christian Becker-Asano and Dr. Andreas Witzel, when the first author was visiting IsaacNewton Institute in 2012 for a project coordinated by Prof. Benedikt Lowe.


certainties. The semantics is non-standard in the sense that we only assigntruth values to the formulas on certain states of the models (not all of them!).

• A substitution-closed axiomatization is provided in Section 3 to capture thevalidity of the logic and the completeness is proved by using a detour tech-nique handling the interactions of the epistemic operator and the actionoperators.

• Section 4 discusses some model theoretical properties of the proposed logic:the structural invariance, the finite model property and notably a non-trivialnormal form theorem which says that any formula is equivalent to an (expo-nentially longer) formula where K operator only appear outside the scopesof action operators.

• In Section 5, we compare our logic with ETL via an intuitive translation. Wealso show that, due to technical reasons, DEL with event models and protocolsare not suitable for handling navigation tasks compared to our logic.

2 Preliminaries

2.1 Kripke model with uncertainties

Given a set P of basic propositions and a set A of basic actions, a multimodalKripke model N w.r.t. P and A is a tuple: N = 〈S, {Ra | a ∈ A}, V 〉 whereS is a non-empty set of states (or locations), Ra ⊆ S × S is a binary relation,

V : P → P(S) is a valuation function. To simplify notations, we write sa→ t

for sRat. Given a Kripke model N , we denote its set of states, relations andvaluation by SN ,

a→N and VN . Given an s ∈ SN , let e(s) be the set of available

actions at s, i.e., e(s) = {a | ∃s′ ∈ SN such that sa→ s′}. Such a Kripke model

may be viewed as an abstract “map” with some basic facts decorating thestates. Note that non-deterministic actions are allowed: executing a at thesame state may result in different states. 3

An uncertainty map (UM) is a Kripke model with a set of uncertaintiesabout the current location of an agent. Formally, a UM model M is a tuple

〈S, {Ra | a ∈ A}, V, U〉

where 〈S, {Ra | a ∈ A}, V 〉 is a Kripke model and U ⊆ S is a non-empty setsuch that for all s, t ∈ U : e(s) = e(t). The requirement of U actually saysthat the uncertainties should comply with the observation about the availableactions. We use UM to denote the uncertainty set ofM. A pointed UM model(M, s) is a UM model M with a designated state s ∈ UM representing theactual location of the agent. Given a model M, let E(s) be the set of statesthat share the same available actions as s, i.e., E(s) = {t ∈ S | e(s) = e(t)}.

The graph mentioned in the introduction can be viewed as an illustration

3 The non-determinism can also be used to model uncertainties about actions, e.g., withouta compass, moving east, west, south, north may look exactly the same to an agent at a crossroad, thus in the map we may use the same action to stand for these four moves.

Wang and Li 563

of a UM model w.r.t P = {Safe} 4 and A = {l, u, r} with the uncertainty set{s2, s3} (the states connected by the dotted line).

2.2 Language and semantics

To reason about knowledge and actions in the scenarios mentioned earlier, weuse the following simplest modal language EALAP (Epistemic Action Language)with knowledge and actions as modalities:

φ ::= > | p | ¬φ | φ ∧ φ | [a]φ | Kφ

where p ∈ P, a ∈ A. As usual, we use the following abbreviations: ⊥ := ¬>,φ ∨ ψ := ¬(¬φ ∧ ¬ψ), φ → ψ := ¬φ ∨ ψ, 〈a〉φ := ¬[a]¬φ, Kφ := ¬K¬φ.Intuitively, Kφ says that the agent knows that φ and [a]φ expresses that ifthe agent can move forward by a, then after doing a, φ holds (a may be non-deterministic).

Given any UM model M = 〈S, {Ra | a ∈ A}, V, U〉 and any point s ∈ Uthe satisfaction relation is defined on pointed UM model M, s as:

M, s � > ⇐⇒ always

M, s � p ⇐⇒ s ∈ V (p)

M, s � ¬φ ⇐⇒ M, s 2 φM, s � φ ∧ ψ ⇐⇒ M, s � φ and M, s � φ

M, s � [a]φ ⇐⇒ ∀t ∈ S : sa→ t implies M|at , t � φ

M, s � Kφ ⇐⇒ ∀u ∈ U :M, u � φ

where M|at = 〈S, {Ra | a ∈ A}, V, U |at 〉 and U |at = U |a ∩ E(t) with

U |a = {r′ | ∃r ∈ U such that ra→ r′}.

It is easy to check that in the clause of [a]φ, U |at ⊆ E(t) and t ∈ U |at thusM|at , t is indeed a pointed UM model.

The semantics of Kφ is rather intuitive as in epistemic logic. The intuitionbehind the semantics of [a]φ formulas is as follows: if you can move forward bya and then end up at t, your uncertainty set should be carried forward withyou along the possible a moves, which explains the first set in the definition ofU |at ; As for the second part, note that you may eliminate some uncertaintiesaccording to the actual observation about the available actions at t.

Here are a few points we have to highlight before moving further:

• We define semantics on pointed UM models and only the states in UM canbe taken as the designated points to evaluate formulas. This means that thetruth values of EALAP formulas are not defined on all the states in a model.

• In particular, your knowledge at a certain state in the model only becomeclear when you have moved there or one of its indistinguishable states, thusthe knowledge is essentially path-dependent (see the example below).

4 If there is no label Safe at a state, then it means the proposition Safe is not true there.


• Therefore, we say that a formula φ is valid (� φ) iff for any pointed UMmodel M, s: M, s � φ.

Let us consider the following example (it is a tweaked version of a commonexample used in [17,18,10]).

Example 2.1 The left and right graphs below depict the initial pointed modelM, s1, and the pointed model after a b move (M|bs3 , s3) respectively.

s1 b //

a

��

s3 : p

s2 b //

a

<<

s4

b→

s1 b //

a

��

s3 : p

s2 b //

a

<<

s4

It is easy to verify that M, s1 � K¬p ∧ 〈b〉¬Kp.The left, middle, and right graphs below depict the pointed models M, s1,

M|as2 , s2 and (M|as2)|as3 , s3 respectively.

s1 b //

a

��

s3 : p

s2 b //

a

<<

s4

a→

s1 b //

a

��

s3 : p

s2 b //

a

<<

s4

a→

s1 b //

a

��

s3 : p

s2 b //

a

<<

s4

Now we see thatM, s1 � K¬p∧〈a〉〈a〉Kp. Compare (M|as2)|as3 , s3 andM|bs3 , s3,it is clear that checking whether Kp is true at s3 depends on how do you getto s3. It does not mean much to evaluate the knowledge of an agent on thestates that he thinks he cannot be currently. The agent may know more orstay ignorant after wandering around.

Going back to our “mission impossible” example in the introduction, wecan now verify the claims about three scenarios w.r.t. the model (call itMMI):

• MMI, s3 � 〈r〉(Safe ∧ ¬KSafe) (HQ guides you safe but you do not know it)

• MMI, s3 � 〈u〉(Safe ∧KSafe) (HQ guides you safe and you know it)

• MMI, s3 � K(〈r〉〈u〉Safe∧ [r][u]Safe) (You know the plan will make you safe)

Given a UM model pointed M, s, a goal expressed by a EALAP formula φand a plan as a sequence of actions a1 · · · an, we can verify whether the plancan possibly satisfy the goal by checking M, s � 〈a1〉 · · · 〈an〉φ.

3 Axiomatization

In this section, we provide a sound and complete axiomatization of EALAP onUM models. Recall that a formula is valid if it holds on all the pointed models.In the sequel we assume that A is finite.

Given a UM model M, let MML be the Kripke “core” of M (by simplyignoring the uncertainty set UM); letMEL be the S5 model 〈UM,∼, V ′〉 where∼ = UM × UM and V ′ = VM|UM . Let �ML and �EL denote the standardsemantics for multimodal logic and epistemic logic respectively (cf. e.g., [3]).

Wang and Li 565

Two easy observations follow immediately from the semantics of EALAP :

Proposition 3.1 For any K-free EALAP-formula φ: M, s � φ iff MML, s �ML φ.For any [·]-free EALAP-formula φ: M, s � φ iff MEL, s �EL φ.

However, it is clear that EALAP cannot be reduced, qua expressive power, toany of these two fragments of EALAP , due to the two dimensional nature (actionand knowledge) of the UM models. 5 This means that the usual axiomatizationof DEL-style logic (e.g., [20] and [1]) via reductions does not work here. Inthe axiomatization, we include the axioms of epistemic logic and multimodallogic with extra axioms capturing the dynamics in terms of the interactionbetween 〈a〉 and K. Inspired by [25], the Henkin-style completeness proofmakes use of an auxiliary semantics which transforms dynamics of models intostatic relations in the canonical model.

3.1 Finite axiomatization SEALAP

System SEALAP

Axioms Rules

TAUT all the axioms of propositional logic MPφ, φ→ ψ

ψ

DISTK K(p→ q) → (Kp→ Kq) NECKφ

Kφ

DIST(a) [a](p→ q) → ([a]p→ [a]q) NEC(a)φ

[a]φ

OBS(a) K〈a〉> ∨K¬〈a〉> SUBφ(p)

φ(ψ)

T Kp→ p

4 Kp→ KKp

5 ¬Kp→ K¬Kp

PR(a) 〈a〉Kp→ K〈a〉p

NL(a)∧

B⊆A(K〈a〉(p ∧ ψB) → [a](ψB → Kp))

where a ranges over A, p, q range over P and in the last clause, ψB =(∧

b∈B〈b〉>) ∧ (∧

b 6∈B ¬〈b〉>). Since A is finite, EALAP is a finite axiomaticsystem. PR(·) and NL(·) denote the axioms of perfect recall and no learningrespectively, following the convention in the literature (cf. [9]).

Based on the semantics of EALAP and Proposition 3.1, it is easy to verify thatthe following axioms and rules are valid: DISTK, DIST(·), T, 4, 5, NECK, NEC(·).The validity of OBS(·) is due to the requirement on the uncertainty sets in UMmodels. Note that the uniform substitution SUB is also valid according to oursemantics, which is different from the usual DEL-style logics (cf. [24]).

To prove the soundness of EALAP , we still need to show that PR(·) and NL(·)

5 E.g., you cannot find an epistemic formula to tell two UM models apart if they share thesame epistemic core but are quite different in the map part. Similar for the K-free formulas.


are valid. In the following, we verify the corresponding axiom schemas wherep is replaced by an arbitrary φ.

Proposition 3.2 For any a ∈ A: � 〈a〉Kφ→ K〈a〉φProof For any M, s, if M, s � 〈a〉Kφ, then there is a t ∈ S, such that

sa→ t and M|at , t � Kφ, thus there is also a v ∈ UM|at , M|at , v � φ. Because

v ∈ UM|at = UM|a ∩ E(t), then there is a u ∈ UM, such that ua→ v and

E(v) = E(t). Thus UM|av = UM|at , then M|at = M|av , thus M|av , v � φ. Since

ua→ v, M, u � 〈a〉φ, because u ∈ UM then M, s � K〈a〉φ. 2

Proposition 3.3 For any a ∈ A: �∧

B⊆A(K〈a〉(φ ∧ ψB)→ [a](ψB → Kφ))

Proof For any M, s, we need to prove that for any B ⊆ A, M, s � K〈a〉(φ ∧ψB) → [a](ψB → Kφ). If M, s � K〈a〉(φ ∧ ψB), then there is a u ∈ UM,

such that M, u � 〈a〉(φ ∧ ψB), thus there is also a v ∈ SM, such that ua→ v

and M|av , v � φ ∧ ψB. Then we need to prove that M, s � [a](ψB → Kφ).

Namely, for any t ∈ SM, assuming sa→ t and M|at , t � ψB, we need to show

that M|at , t � Kφ. Since M|av , v � ψB, then E(t) = E(v), thus UM|at = UM|avand M|at = M|av . Since M|av , v � φ, M|at , v � φ. Now since v ∈ UM|at ,M|at , t � Kφ. 2

Since we include DIST(·), DISTK, NEC(·), NECK in the system, it is easy toverify the following propositions as standard exercises in normal modal logic.

Proposition 3.4 ` [a](φ ∧ ψ) ↔ ([a]φ ∧ [a]ψ), ` [a]φ ∨ [a]ψ → [a](φ ∨ ψ),` K(φ ∧ ψ)↔ (Kφ ∧Kψ).

Proposition 3.5 If ` φ↔ φ′, ` ψ ↔ ψ′, then ` ¬φ↔ ¬φ′, ` φ∧ψ ↔ φ′∧ψ′,` 〈a〉φ↔ 〈a〉φ′, and ` Kφ↔ Kφ′.

Based on the above propositions, we can show the useful inference rule ofreplacements of equivalents is an admissible rule of the system SEALAP

.

Proposition 3.6 If ` ψ ↔ ψ′, and φ′ is obtained by replacing some occur-rences of ψ in φ with ψ′, then ` φ↔ φ′.

3.2 Completeness

To prove the completeness, we will use an auxiliary semantics of EALAP onepistemic multimodal models (EM models). Formally, an EM model N is atuple 〈S, {Ra | a ∈ A}, V,∼〉, where 〈S, {Ra | a ∈ A}, V 〉 is a multimodalKripke model and ∼ is an equivalence relation over S such that s ∼ t impliese(s) = e(t). Note that ∼ can also be viewed as a partition of S. Therefore thedifference between a UM modelM and an EM model N is that UM denotes asingle equivalence class while ∼ denotes a set of the equivalence classes whichform a partition of SN . EALAP formulas can be interpreted on EM models withthe usual Kripke semantics (denoted as ):

N , s [a]φ ⇐⇒ ∀t : sa→ t implies N , t φ

N , s Kφ ⇐⇒ ∀t : s ∼ t implies N , t φ

Wang and Li 567

However, we cannot always transform a UM model M into an EM modelM′ by simply adding more equivalence classes such that for any EALAP -formulaφ: M, s � φ ⇐⇒ M′, s φ. In Example 2.1, based on the initial UM model,it is impossible to assign an equivalence class including s3 to make sure that〈b〉¬Kp and 〈a〉〈a〉Kp both hold at s1.

On the other hand, an EM model can also be viewed as a UM model withextra epistemic information. Given an EM model N = 〈S, {Ra | a ∈ A}, V,∼〉and s ∈ S, let Ns be the UM model 〈S, {Ra | a ∈ A}, V, Us〉 where Us = {t |s ∼ t in N}. We say � and coincide on an EM model N if for any s ∈ SNand any EALAP -formula φ: N , s φ ⇐⇒ Ns, s � φ. It is not hard to see thatthe two semantics do not coincide on arbitrary EM models in general, however,as we will show later, the two semantics do coincide on the canonical EM modelwhich is essential in the proof of completeness.

Our proof strategy can be summarised as follows:

(i) Prove the Lindebaum-like lemma: every SEALAP-consistent set of formulas

can be extended into a maximal consistent set (SEALAP-MCS).

(ii) Construct a canonical EM model C and prove the truth lemma w.r.t. theauxiliary semantics ( ).

(iii) Show that � and coincide on the canonical model thus obtaining thetruth lemma w.r.t. �. Finally, given a SEALAP

-MCS Γ, (CΓ,Γ) is the pointedUM model which satisfies all the formulas in Γ.

The Lindebaum lemma is routine. We define a canonical EM model basedon MCSs of SEALAP

as usual for normal modal logics (cf. e.g., [3]):

C = < Sc, {Rca | a ∈ A},∼c, V c >

where:

• Sc is the set of all SEALAP-MCSs;

• sRcat ⇐⇒ for any φ ∈ t then 〈a〉φ ∈ s ⇐⇒ for any [a]φ ∈ s then φ ∈ t;

• s ∼c t ⇐⇒ for any φ ∈ t then Kφ ∈ s ⇐⇒ for any Kφ ∈ s then φ ∈ t;• V c(p) = {s | p ∈ s}.According to the canonicity of axioms T, 4, and 5, we know that ∼c is indeedan equivalence relation on Sc. To verify that C is indeed an EM model, weneed to verify that s ∼c t implies e(s) = e(t).

Proposition 3.7 In the canonical model C, a ∈ e(s) ⇐⇒ 〈a〉> ∈ s.

Proof ⇒: If a ∈ e(s), according to the definition of e(s), there is a t ∈ Sc, sa→

t,because > ∈ t, then 〈a〉> ∈ s.⇐: Let D = {φ | [a]φ ∈ s}. Since ` [a](φ ∧ ψ) ↔ [a]φ ∧ [a]ψ, s is closed

under finite conjunctions. If D is not consistent, then there is φ ∈ D, ` φ→ ⊥.By the rule NEC(a), ` [a](φ → ⊥), thus by DIST(a), ` [a]φ → [a]⊥, namely` [a]φ→ ¬〈a〉>. Since [a]φ ∈ s, ¬〈a〉> ∈ s which is contradictory to 〈a〉> ∈ s.


Therefore there is a maximal consistent set t such that D ⊆ t. According tothe definition of Rc

a, we have sRcat thus a ∈ e(s). 2

Proposition 3.8 In the canonical model C, if s ∼c t then e(s) = e(t).

Proof For any a ∈ A, if a ∈ e(s), then according to Proposition 3.7, 〈a〉> ∈ s.By axioms OBS(a) and T, K〈a〉> ∈ s. Since s ∼c t, 〈a〉> ∈ t, by Proposition3.7, a ∈ e(t), namely e(s) ⊆ e(t). It is symmetric to show e(t) ⊆ e(s). 2

In the rest of this section, we will show that the two semantics coincideon C. To prove this, the key idea is to show that the equivalence classes ofC capture all the possible dynamics of the uncertainty sets, e.g., if you movefrom a state s in an equivalence class Us in C to a state t, then the updateduncertainty set (Us)|at is exactly the equivalence class that t belongs to in C.Formally, we have the following proposition (recall that Us = {t | s ∼c t in C}).

Proposition 3.9 In the canonical model C, if sa→ t, then (Us)|a ∩E(t) = Ut.

Namely Us|at = Ut and thus Cs|at = Ct.

Proof ⊆: Assuming v ∈ (Us)|a ∩ E(t), we need to prove that v ∈ Ut, namely

v ∼c t. Since v ∈ (Us)|a, there is a u, such that u ∼c s and ua→ v. Let B = {a |

a ∈ A and 〈a〉> ∈ v}, then ψB ∈ v. For any φ ∈ v, it is clear that φ ∧ ψB ∈ v.

Since ua→ v, 〈a〉(φ ∧ ψB) ∈ u. By u ∼c s we have K〈a〉(φ ∧ ψB) ∈ s. Now

by axiom NL(a) and rule SUB, [a](ψB → Kφ) ∈ s. Since sa→ t, ψB → Kφ ∈ t.

Because v ∈ E(t), then ψB ∈ t thus Kφ ∈ t. By the definition of ∼c, we havev ∼c t, namely v ∈ Ut.⊇: If v ∈ Ut, by Proposition 3.8, e(v) = e(t) then v ∈ E(t). In order

to prove v ∈ (Us)|a ∩ E(t), we only need to show that v ∈ (Us)|a. In the

following we will construct an MCS u such that s ∼ u and ua→ v. Let

D = {ψ | Kψ ∈ s} ∪ {〈a〉φ | φ ∈ v}. It is easy to see that {ψ | Kψ ∈ s}is closed under finite conjunctions. If D is not consistent, we must have `ψ ∧ 〈a〉φ1 ∧ · · · ∧ 〈a〉φn → ⊥ for some Kψ ∈ s and φ1 . . . φn ∈ v, then ` ψ →([a]¬φ1∨· · ·∨[a]¬φn). Because ` [a]¬φ1∨· · ·∨[a]¬φn → [a](¬φ1∨· · ·∨φn), then` ψ → [a](¬φ1∨· · ·∨¬φn). By NECK and DISTK, ` Kψ → K[a](¬φ1∨· · ·∨¬φn).By PR(a) and SUB, ` K[a](¬φ1 ∨ · · · ∨ ¬φn) → [a]K(¬φ1 ∨ · · · ∨ ¬φn), then` Kψ → [a]K(¬φ1 ∨ · · · ∨ ¬φn). Since Kψ ∈ s, [a]K(¬φ1 ∨ · · · ∨ ¬φn) ∈ s.Due to the fact that s

a→ t, K(¬φ1 ∨ · · · ∨ ¬φn) ∈ t. Since v ∼c t, then¬φ1 ∨ · · · ∨ ¬φn ∈ v. This is contradictory to φ1 . . . φn ∈ v and that v isconsistent. Therefore D is consistent, then there is a maximal consistent setu, such that D ⊆ u. Clearly u ∼c s and u

a→ v, thus v ∈ (Us)|a. In sum,v ∈ (Us)|a ∩ E(t). 2

To prove the truth lemma w.r.t. � we make use of the following truthlemma w.r.t. as a standard exercise for normal modal logic (cf. e.g., [3]).

Lemma 3.10 For any EALAP formula φ, any s in C: C, s φ ⇐⇒ φ ∈ s.

All we need now is to show that two semantics coincide on C.

Wang and Li 569

Lemma 3.11 For any EALAP formula φ, any s in C: C, s φ ⇐⇒ Cs, s � φProof Do induction on the structure of φ. The cases for φ = p, φ = ¬ψ, andφ = φ1 ∧ φ2 are immediate.

φ = [a]ψ, if C, s [a]ψ, but Cs, s 2 [a]ψ, then there is a t ∈ Sc, such

that sa→ t and Cs|at , t 2 ψ, by Proposition 3.9, Cs|at = Ct, then Ct, t 2 φ, by

IH, C, t 1 φ. Since sa→ t, C, s [a]ψ, contradiction. On the other hand, if

Cs, s � [a]ψ, but C, s 1 [a]ψ, then there is a t ∈ Sc, such that sa→ t, and

C, t 1 ψ. According to IH, Ct, t 2 ψ. Now from Proposition 3.9, we haveCs|at = Ct, then Cs|at , t 2 ψ. However, s

a→ t and Cs, s � [a]ψ, contradiction.φ = Kψ, if C, s Kψ, but Cs, s 2 Kψ, then there is a u ∈ Us such that

Cs, u 2 ψ. Since u ∈ Us, then Us = Uu, thus Cs = Cu, therefore Cu, u 2 ψ. ByIH C, u 1 ψ which is contradictory to the facts u ∼c s and C, s Kψ. On theother hand, if Cs, s � Kφ, but C, s 1 Kψ, then there is a u, such that s ∼c uand C, u 1 ψ. By IH, Cu, u 2 ψ. Since s ∼c u, then Us = Uu thus Cs = Cu.Therefore Cs, u 2 ψ which is contradictory to u ∈ Us and Cs, s � Kψ. 2

Based on Lemmata 3.10 and 3.11, every SEALAP-consistent set of formulas

has a model Cs, s, thus the completeness is immediate.

Theorem 3.12 SEALAPis sound and complete on UM models.

4 Modal theoretical properties of EALAPIn this section, we prove three results which can help us to understand EALAP onUM models better. We first show that EALAP is invariant under a special notionof bisimulation between UM models, which inspires a normal form theorem asour second result, and finally we prove the finite model property of EALAP basedon these insights.

4.1 Structural invariance for EALAP

Recall that given a UM model M = 〈S, {Ra | a ∈ A}, U, V 〉, MML is themultimodal model without U , i.e. MML = 〈S, {Ra | a ∈ A}, V 〉. Let MLAP bethe K-free fragment of EALAP .

Next, we define a structural relation between UM models based on thenotion of bisimilarity (↔) on multimodal models w.r.t. P and A (cf. e.g., [3]).

Definition 4.1 For any UM models M and N , we say that M is U-bisimilarto N (notation: M� N ) iff:

• for any u ∈ UM, there is a u′ ∈ UN , such that MML, u ↔ N ML, u′,

• for any u′ ∈ UN , there is a u ∈ UM, such that MML, u ↔ N ML, u′.

We say two pointed UM models are U-bisimilar (M, u � N , u′) iff MML, u ↔N ML, u′ and M� N .

Now we prove that the moves in UM models preserve U-bisimilarity.

Proposition 4.2 If M, s � N , u, sa→ t in M, u

a→ v in N , and MML, t ↔N ML, v, then M|at , t� N|av , v.


Proof Since (M|at )ML = MML, (N|av)ML = N ML and MML, t ↔ N ML, v, then bythe definition of �, we only need to prove thatM|at � N|av , namely for each x′

in UM|at there is a y′ in UN |av such that (M|at )ML, x′ ↔ (N|av)ML, y′ (the reversecondition can be proved symmetrically).

For each x′ ∈ UM|at = UM|a ∩ E(t), there is an x ∈ UM and xa→ x′ in

M. Since M� N , then there is a y ∈ UN , such that MML, x↔ N ML, y. Sincex

a→ x′ inM, then according to the definition of bisimilarity, there is a y′ ∈ SN ,such that y

a→ y′ in N andMML, x′ ↔ N ML, y′ (thus (M|at )ML, x′ ↔ (N|av)ML, y′.).Clearly y′ ∈ UN |a. We only need to show that y′ ∈ E(v) in order to prove thaty′ ∈ UN |av . Since MML, x′ ↔ N ML, y′, e(y′) = e(x′). Now due to the fact thatx′ ∈ UM|at , we have e(x′) = e(t). Since MML, t ↔ N ML, v, then it is easy to seethat e(t) = e(v), thus e(y′) = e(x′) = e(t) = e(v), therefore y′ ∈ E(v), namelyy′ ∈ UN |av . 2

We say a UM model M is image-finite if UM is finite, and for any s ∈ SMand any a ∈ A: {t | s a→ t} is finite. Let ≡EALAP

be the logical equivalencerelation between pointed models. As an easy exercise, we can show that U-bisimilarity indeed preserves the truth values of the EALAP -formulas based onProposition 4.2 (we omit the proof due to limited space).

Proposition 4.3 For any pointed models M, u, N , u′ : M, u� N , u′ impliesM, u ≡EALAP

N , u′. The converse holds when restricted to image-finite models.

4.2 Normal form

Proposition 4.3 says that the distinguishing power of EALAP is bounded by theU-bisimilarity. A closer look reveals something more surprising: qua expressivepower, the full language of EALAP is equivalent to its fragment where knowledgeoperator only appears outside the scopes of the action modalities. Formally,formulas φ in this fragment (EALKAP) can be generated by:

φ ::= > | p | ψ | ¬φ | φ ∧ φ | Kφψ ::= > | p | ¬ψ | ψ ∧ ψ | [a]ψ

where a ∈ A and p ∈ P.In this subsection we will show that every EALAP formula is equivalent to

an (exponentially longer) EALKAP formula. Note that although Proposition 4.3already suggests that EALAP and EALKAP have the same distinguishing power,their expressive powers may still differ, 6 thus the result does not follow fromProposition 4.3.

Definition 4.4 We define the K-degree of EALAP formulas (kd(φ)) as follows:

kd(>) = 0 kd(p) = 0

kd(¬φ) = kd(φ) kd(φ ∧ ψ) = max{kd(φ), kd(ψ)}kd([a]φ) = 0 kd(Kφ) = 1 + kd(φ)

6 Here by distinguishing power we mean the power of a language to tell two models apartwhile expressive power measures the power of the language to define classes of models (prop-erties of the models).

Wang and Li 571

where p ∈ P and a ∈ A.

Note that we treat the outmost [·]φ (not in the scope of any other [·]) asatomic formulas by setting kd([·]φ) = 0, e.g., kd(K[a]K[b]p) = 1.

Definition 4.5 An EALAP formula φ is in K-conjunctive normal form (K-CNF)iff:

• φ = α1 ∧ · · · ∧αn such that ∀1 ≤ i ≤ n : αi = βi1 ∨ · · · ∨βim for some m ≥ 1,

• each βij is in the shape of p,¬p, [·]ψ,¬[·]ψ, Kχ or Kχ where kd(χ) = 0.

Note that SEALAPincludes all the axioms and rules of S5. Thus by using the

standard result for S5 logic, we can turn each EALAP formula into K-CNF.

Proposition 4.6 For any EALAP-formula φ, there is an EALAP formula φ′, suchthat � φ↔ φ′ and φ′ is in K-CNF. In particular, for each EALKAP-formula thereis an equivalent EALKAP-formula in K-CNF.

Proof We treat the outmost [·]ψ formulas as atomic formulas when massagingthe original formula according to the standard normal form result for S5 (cf.e.g., [12]), thus keeping the formulas in EALKAP . 2

Note that in an EALAP formula of K-CNF, there may still be some occurrencesof K modality inside the scope of [·] modalities. In the sequel, we will try topush the K operator out. Here are two crucial results proved using the spiritbehind the validity of axioms PR(·) and NL(·). 7

Proposition 4.7

(1) � [a](Kφ ∨ χ)↔∧B⊆A

(〈a〉(ψB ∧ ¬χ)→ K[a](ψB → φ))

(2) � [a](Kφ ∨ χ)↔∧B⊆A

(〈a〉(ψB ∧ ¬χ)→ K〈a〉(ψB ∧ φ))

Proof(1) Left to right: IfM, s � [a](Kφ∨χ), we need to prove that for any B ⊆ A,

M, s � 〈a〉(ψB∧¬χ)→ K[a](ψB → φ). Now supposeM, s � 〈a〉(ψB∧¬χ), then

there is a t, such that sa→ t, andM|at , t � ψB∧¬χ. BecauseM, s � [a](Kφ∨χ),

then M|at , t � Kφ ∨ χ, then M|at , t � ψB ∧Kφ.We need to prove that M, s � K[a](ψB → φ), namely for any u ∈ UM we

need to showM, u � [a](ψB → φ). That is, for any v such that ua→ v, we need

to show M|av , v � ψB → φ. Suppose M|av , v � ψB, we then have E(v) = E(t)since M|at , t � ψB. Therefore UM|at = UM|a ∩ E(t) = UM|a ∩ E(v) = UM|av ,thus M|at =M|av and v ∈ UM|at . SinceM|at , t � Kφ, we have M|at , v � φ, thusM|av , v � φ.

(1) Right to left: Suppose for any B ⊆ A, M, s � 〈a〉(ψB ∧ ¬χ) →K[a](ψB → φ), we need to show that M, s � [a](Kφ ∨ χ). Suppose not, then

7 The equivalences can be proved in SEALAP

too.


there is a t, such that sa→ t and M|at , t � ¬Kφ ∧ ¬χ ∧ ψB for some B = e(t).

ThenM, s � 〈a〉(ψB∧¬χ). SinceM, s � 〈a〉(ψB∧¬χ)→ K[a](ψB → φ), thenM, s � K[a](ψB → φ). SinceM|at , t � ¬Kφ, then there is v ∈ UM|at , such thatM|at , v � ¬φ (∗). Since v ∈ UM|at , then v ∈ E(t) and there is a u ∈ UM such

that ua→ v. Since M, s � K[a](ψB → φ), then M, u � [a](ψB → φ). Since

ua→ v, M|av , v � ψB → φ. Since v ∈ E(t) and B = e(t), we have M|av , v � ψB

thus M|av , v � φ. Again by the fact that v ∈ E(t) we have UM|at = UM|av , thusM|at = M|av . Now it is easy to see that M|at , v � φ which is contradictory to

(∗). Thus there is no such t that sa→ t and M|at , t � ¬Kφ ∧ ¬χ, therefore

M, s � [a](Kφ ∨ χ).(2) Left to right: Assuming M, s � [a](Kφ ∨ χ), we need to prove that for

any B ⊆ A: M, s � 〈a〉(ψB ∧ ¬χ)→ K〈a〉(ψB ∧ φ).

Now suppose M, s � 〈a〉(ψB ∧ ¬χ), then there is a t, such that sa→ t and

M|at , t � ψB ∧ ¬χ. Since M, s � [a](Kφ ∨ χ), then M|at , t � Kφ ∨ χ, thenM|at , t � ψB ∧ Kφ. Thus there is a v ∈ UM|at , such that M|at , v � φ. Since

v ∈ UM|at , there is a u ∈ UM such that ua→ v and v ∈ E(t). v ∈ E(t)

implies that M|at , v � ψB. Then M|at , v � ψB ∧ φ. Because v ∈ E(t), thenUM|at = UM|av , thus M|at = M|av . Therefore M|av , v � ψB ∧ φ, and then wehave M, u � 〈a〉(ψB ∧ φ). Since s, u ∈ UM, M, s � K〈a〉(ψB ∧ φ).

(2) Right to left: Suppose for any B ⊆ A, M, s � 〈a〉(ψB ∧ ¬χ) →K〈a〉(ψB ∧ φ) but M, s 2 [a](Kφ ∨ χ), then there is a t, such that s

a→ t andM|at , t � K¬φ∧¬χ∧ψB for some B = e(t) ⊆ A. ThereforeM, s � 〈a〉(ψB∧¬χ),thusM, s � K〈a〉(ψB ∧φ) due to the assumption thatM, s � 〈a〉(ψB ∧¬χ)→K〈a〉(ψB ∧ φ). Now there is a u ∈ UM such that M, u � 〈a〉(ψB ∧ φ). Then

there is a v, ua→ v and M|av , v � ψB ∧ φ. Since M|av , v � ψB and e(t) = B, we

have v ∈ E(t), thus UM|at = UM|av . Therefore M|at = M|av , then M|at , v � φ

which contradicts to M|at , t � K¬φ. Thus there is no such t that sa→ t and

M|at , t � K¬φ ∧ ¬χ, therefore M, s � [a](Kφ ∨ χ). 2

Now we are ready to prove the main theorem of this subsection.

Theorem 4.8 For any EALAP formula φ, there is an EALKAP formula φ′, suchthat � φ↔ φ′.

Proof Before we start the proof, note that by Proposition 3.6 and The-orem 3.12, the replacements of the equals preserve validity. We will use itrepeatedly. We prove the theorem by induction on the structure of φ:

The cases for φ = p,¬φ′, φ1 ∧ φ2, and Kφ′ can be easily proved by IH andthe replacement of equals.

φ = [a]ψ, by IH, there is an EALKAP -formula ψ′, such that � ψ ↔ ψ′. ByProposition 4.6, there is an EALKAP -formula χ in K-CNF, such that � χ ↔ ψ′.Since χ is in K-CNF, then we can assume that χ = α1 ∧ · · · ∧ αn, then [a]χis clearly equivalent to [a]α1 ∧ · · · ∧ [a]αn. We want to show that for each1 ≤ i ≤ n, [a]αi is equivalent to an EALKAP -formula since then [a]α1∧· · ·∧ [a]αn

is also equivalent to an EALKAP -formula.Since χ is an EALKAP -formula, each αi is also an EALKAP -formula. By

Wang and Li 573

the definition of K-CNF, each αi is in the shape of β1 ∨ · · · ∨ βm, then[a]αi = [a](β1 ∨ · · · ∨ βm). It is clear that for any 1 ≤ j ≤ m, βj isan EALKAP -formula. By definition of K-CNF, each βj is in the shape of

p,¬p, [·]ψ,¬[·]ψ, Kχ or Kχ where kd(χ) = 0. Note that for EALKAP - formulasφ : kd(φ) = 0 ⇐⇒ φ is K-free. Now since βj is in EALKAP , then it is not hard

to see that βj contains K operator iff βj = Kχ or βj = Kχ where χ is K-free.Then we can sort all the βj into two categories depending on whether it isK-free, and rearrange the disjuncts in αi as βi1 ∨ · · · ∨ βih ∨ · · · ∨ βim , suchthat kd(βik) = 1 for 1 ≤ k ≤ h and kd(βik) = 0 for h < k ≤ m. We will provethe following claim (?):

For any h ≥ 0 and any m > h there is an EALKAP -formula γ, such that� γ ↔ [a](βi1 ∨ · · · ∨ βih ∨ · · · ∨ βim).

We prove it by induction on h. The case of h = 0 is trivial since all the βik(1 ≤ k ≤ m) are K-free.

Now suppose the claim holds when h = n (for all m > h) we need toprove the case of h = n + 1. Let χ = βi1 ∨ · · · ∨ βin ∨ βin+2

∨ · · · ∨ βim , then[a](βi1 ∨ · · · ∨ βim) is equivalent to [a](χ ∨ βin+1). Since kd(βin+1) = 1, thus

βin+1 contains K then βin+1 = Kχ′ or βin+1 = Kχ′, where χ′ is K-free.(i) If βin+1 = Kχ′, then [a](χ ∨ βin+1) = [a](χ ∨Kχ′). By Proposition 4.7

(1), [a](χ ∨Kχ′) is equivalent to∧B⊆A

(¬[a](¬ψB ∨ χ)→ K[a](¬ψB ∨ χ′))

Note that given an B ⊆ A, ψB is a K-free EALKAP -formula in the shape of∧a∈B〈a〉> ∧

∧b 6∈B ¬〈b〉>. Therefore ¬ψB is still an EALKAP -formula which is

equivalent to∨

a∈B[a]⊥ ∨∨

b6∈B ¬[b]⊥. Therefore ¬ψB ∨ χ can be massagedinto a right disjunctive form βi1 ∨ · · · ∨ βin ∨ · · · ∨ βim+|A| . Now by IH, there

is an EALKAP -formula γB, such that γB is equivalent to [a](¬ψB ∨ χ). Since χ′

is K-free, then K[a](¬ψB ∨ χ′) is already an EALKAP -formula. Now let θB =¬γB → K[a](¬ψB ∨ χ′) we can see that θB is an EALKAP -formula equivalent to¬[a](¬ψB ∨ χ)→ K[a](¬ψB ∨ χ′).

(ii) The case for βin+1= Kχ′ can be proved similarly by using Proposi-

tion 4.7 (2). Hereby we complete the proof for claim (?).In sum, for each i: [a]αi is equivalent to an EALKAP -formula thus [a]ψ is equi-

valent to an EALKAP -formula therefore completing the proof of the theorem. 2

The above proof also suggests a naive algorithm to translate an EALAP -formula into an EALKAP -formula, which works in the inside-out fashion:

(i) Find the minimal sub-formulas which are not in EALKAP , massage theminto K-CNF, and then use the method described in the above proof totranslate them into equivalent EALKAP -formulas by pushing K out.

(ii) Replacing those sub-formulas in the original formula by their EALKAP cor-respondents.


(iii) Repeat step (i) until all the subformulas are in the right shapes. Everystep pushes the K operator one level out towards the outmost positionsthus the procedure terminates eventually.

For example let A = {a}, [a]Kp can be translated to a K-CNFEALKAP formula:

([a][a]⊥ ∨K[a](〈a〉> → p)) ∧ ([a]〈a〉> ∨K[a]([a]⊥ → p))

Let χ1 = [a][a]⊥, χ2 = [a]〈a〉> and φ1 = [a](〈a〉> → p) and φ2 = [a]([a]⊥ → p).Thus [a][a]Kp is equivalent to: [a](χ1 ∨Kφ1) ∧ [a](χ2 ∨Kφ2) and then to∧i=1,2

((〈a〉(〈a〉>∧¬χi) → K[a](〈a〉> → φi))∧(〈a〉(¬〈a〉>∧¬χi) → K[a](¬〈a〉> → φi)))

Clearly, the translated formula is at least exponentially longer. We leave thediscussion on the succinctness of EALAP compared to EALKAP for future work.

Remark 4.9 Is there a simpler translation? In many DEL-style logics, we canoften define a simple recursive translation from the full language to its fragmentby swapping the connectives and modalities, e.g., in public announcement logic,[ψ]¬φ ⇐⇒ ψ → ¬[ψ]φ (cf. e.g., [20]). However, such idea may not work here:it seems there is no general equivalence-preserving rule to swap 〈a〉 and ¬.

4.3 Finite model property

Theorem 4.8 also suggests that EALAP has the finite model property : First of all,it is not hard to see that for any EALKAP formula φ, φ has a UM model iff φ hasan EM model (w.r.t. ); Secondly, EALKAP on EM model has the finite modelproperty (an easy exercise for normal modal logic); Thirdly any pointed EMmodel of an EALKAP -formula can be viewed as an EALKAP -equivalent UM modelby ignoring the equivalence classes that do not contain the designated point.

In the rest of this section, we directly prove the finite model property ofEALAP on UM models by using finite approximations of U-bisimilarity.

Definition 4.10 The modal degree of EALAP-formulas (md(φ)) is defined asfollows:

md(>) = 0 md(p) = 0

md(¬φ) = md(φ) md(φ ∧ ψ) = max{md(φ),md(ψ)}md(〈a〉φ) = 1 +md(φ) md(Kφ) = md(φ)

Note that here K does not count for modal degrees. Let EALAPn = {φ | φ ∈EALAP , and md(φ) ≤ n}

Now we define the finite approximation of � based on n-bisimilarity w.r.t.P and A (cf. [3]).

Definition 4.11 EM model M and N are n-U-bisimilar ( M �n N ) iff forany u ∈ UM, there is a u′ ∈ UN such that MML, u ↔n N ML, u′ and for anyu′ ∈ UN , there is a u ∈ UM such that MML, u ↔n N ML, u′. For pointed models,M, s�n N , u iff MML, s ↔n N ML, u and M�n N .

Wang and Li 575

Proposition 4.12 For n > 0: if M, s �n+1 N , u, sa→ t, u

a→ v, andMML, t ↔n N ML, v, then M|at , t�n N|av , v.

Proof Since (M|at )ML = MML and (N|av)ML = N ML, (M|at )ML, t ↔n (N|av)ML, v,thus we only need to prove M|at �n N|av .

For any t′ ∈ UM|at = UaM ∩ E(t), there is an s′ ∈ UM, such that

s′a→ t′. Since M, s �n+1 N , u, then there is a u′ ∈ UN , such that

MML, s′ ↔n+1 N ML, u′. Therefore there is a v′, such that u′a→ v′ and

MML, t′ ↔n N ML, v′. Therefore v′ ∈ UN |a and e(v′) = e(t′) (due to the factthat n > 0 and MML, t′ ↔n N ML, v′). Since e(t′) = e(t) and e(t) = e(v), wehave e(v′) = e(v), thus v′ ∈ E(v), therefore v′ ∈ UN |av . Now we have provedthat for any t′ ∈ UM|at , there is a v′ ∈ UN |av , such that MML, t′ ↔n N ML, v′,namely (M|at )ML, t↔n (N|av)ML, v. The other direction is totally symmetric. 2

Proposition 4.13 M, s�n+1 N , u =⇒ M, s ≡EALAPnN , u.

Proof The proof is based on induction on n: For n = 0, we can easily checkthat all the EALAP0-formulas are preserved under �1. Now supposeM, s�k+1

N , u implies M, s ≡k N , u. We need to show M, s �k+1+1 N , u impliesfor all EALAPk+1 formula φ: M, s � φ ⇐⇒ N , u � φ. Now suppose thatM, s�k+1+1 N , u, we proceed by induction on the structure φ:

For Boolean cases, it is obvious.φ = [a]ψ: If N , u � [a]ψ but M, s 2 [a]ψ, then there is a t, such that

sa→ t, and M|at , t 2 ψ. Since M, s ↔k+2 N , u, then there is a v, u

a→ v,and MML, t ↔k+1 N ML, v. By Proposition 4.12, M|at , t �k+1 N|av , v. Sincemd(ψ) ≤ k, and by IH for k, N|av , v 2 ψ, this is contradictory to the fact thatN , u � [a]ψ. The other direction is symmetric.

φ = Kψ, if N , u � Kψ but M, s 2 Kψ then there is a s′ ∈ UM, M, s′ 2ψ. Since M, s �k+2 N , u then there is a u′ ∈ UN , MML, s′ ↔k+2 N ML, u′

then M, s′ �k+2 N , u′. By IH for simpler φ, N , u′ 2 ψ. Then N , u 2 Kψ,contradiction. The other direction is symmetric. 2

The reader may wonder about the mismatch between n and n + 1 in theabove proposition. Actually it is not surprising since in the semantics we ac-tually look one step forward to observe the available actions. The translationof the previous subsection also showed that the EALKAP equivalent translationmay have larger modality depth than the original formula (check the exampleof [a]Kp in the previous subsection). 8

Theorem 4.14 For each EALAP-formula φ, if it has a UM model then it has afinite tree-like model with the depth of at most n+ 1 where n = md(φ).

Proof (Sketch:) Without loss of generality, we assume P and A are finite(since a formula is about at most finitely many symbols). Let n = md(φ).Suppose φ has a UM model M, we first “contract” the set UM according to

8 Actually, a closer analysis would reveal that this can only happen when md(φ) = 1.Proposition 4.13 can be strengthened to : for n > 1 :M, s�n N , u ⇐⇒ M, s ≡EALA

PnN , u.


↔n+1 (equivalently, according to ≡MLn+1 , where MLn+1 is the K-free fragment ofEALAPn+1). Note that since MLn+1 is essentially a finite language modulo logicalequivalence, after the contraction there are only finitely many representativeswhich form a finite set U ′. Then we finitely (up to n+ 1) unravel the pointedmultimodal models based on these states and prune the branches to make afinite model. Finally we make a disjoint union of these unravellings with theuncertainty set U ′. 2

To squeeze the model even further we also develop a highly non-trivialfiltration technique which we left for the full version of this paper. Basedon such a finite model property and the fact that there is a finite completeaxiomatization, we can conclude that EALAP is decidable on UM models.

5 Comparisons

We claimed in the introduction that our EALAP framework is a blend of ETL andDEL frameworks. In this section, we make it more precise by comparing EALAPto ETL and DEL. The conclusions can be summarized as follows:

• Our UM models can be viewed as compact representations of ETL structureswhere the epistemic relations are computed based on the following: 1. theprevious epistemic uncertainties, 2. the executed actions, and 3. the newobservations, which is, in spirit, similar to the DEL-like epistemic updates.

• On the other hand, the DEL approach via product updates on epistemic mod-els with protocols can also be viewed as a logic on particular ETL structures,however, satisfying a property which is violated in the navigation scenarios.Due to this and other difficulties, the standard DEL with event models is notsuitable to handle the reasoning in the navigation scenarios.

To facilitate the comparisons, let us fix some notations first. Given a UMmodelM for EALAP , we say ρ = s0a1s1a2s2 · · · ansn is a path inM if s0 ∈ UM,

n ≥ 0 and for any 0 ≤ i ≤ n− 1: siai+1→ si+1 in M. Given a path ρ =

s0a1s1a2s2 · · · ansn let len(ρ) = n be the length of ρ. Note that there are pathsof length 0 consisting of a single state.

5.1 Comparison with ETL

Technically speaking, a single-agent ETL model is just a tree-like EM model.We can unravel a UM model into such an ETL model.

Definition 5.1 Given a UM model M = 〈S, {Ra | a ∈ A}, U, V 〉, we defineMETL as 〈S•, {R•a | a ∈ A},∼, V •〉 where:

(i) S• = {ρ | ρ is a path in M starting with some s ∈ U}(ii) ρ

a→ ρ′ in METL iff ρ′ = ρat for some t ∈ S and a ∈ A.

(iii) For any two paths ρ = s0a1 · · · ansn and ρ′ = t0b1 · · · bmtm in S•: ρ ∼ ρ′

in M• iff (n = m, for all i ≤ n: ai = bi and e(si) = e(ti)).

(iv) V •(s0a1 · · · ansn) = V (sn)

Wang and Li 577

It is easy to show that ∼ is indeed an equivalence relation. Moreover wecan define ∼ more explicitly:

Proposition 5.2 ∼ ⊆ S• × S• is the minimal set of pairs satisfying the fol-lowing conditions:

(i) s ∼ t for any s, t ∈ U(ii) ρas ∼ ρ′a′s′ if ρ ∼ ρ′, a = a′ and e(s) = e(s′).

Let us unravel the initial model in Example 2.1.

Example 5.3 Given the initial model asM, METL can be depicted as follows(where dotted lines denote the ∼ relation while omitting the reflexive arrows):

s1

a

zzb

%%

s2

b

~~a

##s1as2

b

zza

$$

s1bs3 : p s2bs4 s2as3 : p

s1as2bs3 s1as2as4

The following result is crucial to prove that METL is indeed a good trans-formation preserving the truth values of EALAP formulas.

Proposition 5.4 Let M = 〈S, {Ra | a ∈ A}, U, V 〉 and s ∈ U . If there exists

an s′ ∈ S such that sa→ s′, then M•, sas′ ↔ (M|as′)•, s′ (here the bisimilarity

is w.r.t. P,A and also ∼).

Proof We define a binary relation Z on SM•×S(M|as′ )• as follows Z = {(ρ, ρ′) |

ρ ∈ SM• , ρ′ ∈ S(M|as′ )• and there exists an u ∈ UM such that ρ = uaρ′}.

Clearly sas′Zs′, thus Z is non-empty. Now we prove that Z is a bisimula-tion. The propositional invariance condition and the back-and-forth conditionsfor

a→ are obvious. We only need to check the back-and-forth conditions for ∼.In the sequel, suppose ρ = uaρ′ for some path ρ′ in S(M|a

s′ )• , then it is clear

that ρ′ starts with some state t ∈ SM such that e(t) = e(s′).Now suppose ρ ∼ ξ then according to the definition of ∼, ξ must be in the

shape of vaξ′ where v ∈ UM and ξ′ must start with a state t′ ∈ SM such thate(t′) = e(t) = e(s′). Therefore t′ ∈ UM|a

s′, then it is not hard to see that ρ′ ∼ ξ′

in M|as′ . For the other direction, suppose ρ′ ∼ ξ′ in M|as′ then it is easy to seethat there is a v ∈ UM such that uaρ′ ∼ vaξ′ by definition of ∼ in M. 2

Recall that denotes the satisfaction relation of the auxiliary semantics ofEALAP language on EM models used in Section 3. The following preservationresult can be proved based on Proposition 5.4 without much efforts.

Theorem 5.5 For any EALAP formula φ: M, s � φ ⇐⇒ M•, s φ.

Theorem 5.5 established the equivalence of our framework and ETL frame-work (restricted to the models with epistemic relations computed in a particularway). However, it is not reasonable to work with ETL models explicitly sincethe unravelling transforms a finite map into an infinite forest if there are loops.


5.2 Comparison with DEL

As we mentioned in the introduction, there are efforts trying to merge ETL andDEL frameworks. Most notably, [21] characterizes the DEL-generated ETL models(under protocols) by a few properties. In [6] the authors argue that synchron-icity is not an inherent feature of DEL but is introduced by the specific transla-tion used in [21]. However, it is usually agreed that the property of (local) nomiracles (LNM) is inevitable for a DEL-generated ETL model. 9 Formally, LNMsays that in the DEL-generated ETL model, for any states s, s′, t, t′, w, w′, v, v′

and any action labels c, d:

((sc→ s′, t

d→ t′, s′ ∼ t′) and (s ∼ w ∼ v, w c→ w′, vd→ v′)) implies w′ ∼ v′.

In picture (whether s and t are indistinguishable is unknown):

t

d��

s

c

��

w

c

��

v

d��

t′ s′ w′ v′

In words, LNM roughly says that whenever the results of executing two actionsare indistinguishable, then executing these two actions on indistinguishablestates must result in indistinguishable states again. Actually, this property isinherent in the definition of the updated epistemic relations according to thestandard product update [1], where two updated states are indistinguishableafter executing two actions on two old states respectively iff the two old statesare indistinguishable and the two actions are indistinguishable too.

However, in our navigation scenarios, it is often the case that executing thesame action (thus indistinguishable from itself) on previously indistinguishablestates will result in distinguishable states, e.g., in Example 5.3, performingaction a on indistinguishable states s1 and s2 will result in distinguishablestates. To see that it is an example violating LNM, let s = t = s2, s

′ = t′ =s2as3, c = d = a,w = s1, v = s2 and w′ = s1as2, v

′ = s2as3 and check thedefinition of LNM 10 .

The feature of our epistemic update mechanism is reflected in Proposi-tion 5.2: the three conditions in the inductive case actually say (1) the olduncertainties on states are respected; (2) we do not have uncertainties aboutactions with different names; (3) the observations at the new states may affectthe new uncertainties. It is the feature (3) which makes us deviate from LNM.

Merely technically speaking, we may still try to mimic the EALAP frame-work by the standard DEL via event models. The difficulties and the potentialsolutions are summarized below, interested readers may consult the algebraicDEL-approaches in [17,18,10].

9 Although we take the notion of LNM as in [21], our counterexample also works for theother no miracle notions in [6].10Actually LNM also prevents the application of standard DEL in security verification asobserved in [5].

Wang and Li 579

• Failure of LNM: try to split one action into different actions w.r.t. differentconditions, e.g., in Example 5.3 the two a moves must be treated differentlyin the event model.

• The standard DEL-model does not contain procedural information: use state-dependent protocols to encode the moves in the map (cf. e.g., [21]).

• No location changes: try to capture the changes of current location by factualchanging actions (cf. e.g., [23,18]).

• DEL-updates are functional: to model non-deterministic actions, multi-pointed event models should be used.

6 Conclusion and future work

In this paper, we lay out a logical framework for dynamic epistemic reasoningin navigation. The “philosophy” behind our work is summarized as follows:

• Keep the logical language and its model as simple and natural as possible,while put the complexity on the semantics.

• Combine the spirits from ETL and DEL by having the temporal possibilitiesencoded in the model while computing the epistemic developments step bystep according to the update semantics.

• When proving theoretical results, try to reduce the dynamics of the modelsinto static relations in a larger model.

We think this is just the opening of an interesting story. A few futuredirections are mentioned as follows. For the current framework, we have notdiscussed the computational issues such as the complexity of satisfiability andmodel checking problems and the succinctness compared to EALKAP . To gen-eralize the current framework, we may consider general observations insteadof observations of the currently available actions only, for which we may usepropositional variables to encode available observations as in [22]. Similar tech-niques for axiomatization should work in the more general case. As in [18], theconverse action operator may be introduced to express “I know where I was”,although we conjecture that it can be eliminated qua expressive power. Finallyit is natural to ask whether our framework can be extended to multi-agent.

As we mentioned in the introduction, we are aiming at real-life applicationsof navigation and planning, for which an epistemic Propositional DynamicLogic (EPDL) language is more attractive due to its program language. Wecan then reduce the planning problem into model checking problem of EPDL-formulas expressing sentences like “there is a plan that can make sure he knowsφ”. This extension may require new techniques and we leave it for future work.

Acknowledgement This work is supported by SSFC grant 11CZX054. The first

author would like to thank Dr. Mehrnoosh Sadrzadeh for pointing out the problem

of robot navigation during her visit to Amsterdam in 2010. The authors are also

grateful to the anonymous referees of AiML2012 for their insightful comments on the

early version of this paper.


References

[1] Baltag, A. and L. Moss, Logics for epistemic programs, Synthese 139 (2004), pp. 165–224.

[2] Baltag, A., L. Moss and S. Solecki, The logic of public announcements, commonknowledge, and private suspicions, in: Proceedings of TARK’98 (1998), pp. 43–56.

[3] Blackburn, P., M. de Rijke and Y. Venema, “Modal Logic,” Cambridge University Press,2002.

[4] Bonet, B. and H. Geffner, Planning with incomplete information as heuristic search inbelief space, in: Artificial Intelligence Planning Systems, 2000, pp. 52–61.

[5] Dechesne, F. and Y. Wang, To know or not to know: Epistemic approaches to securityprotocol verification, Synthese 177 (2010), pp. 51–76.

[6] Degremont, C., B. Lowe and A. Witzel, The synchronicity of dynamic epistemic logic,in: Proceedings of TARK’11, 2011, pp. 145–152.

[7] Fagin, R., J. Halpern, Y. Moses and M. Vardi, “Reasoning about knowledge,” MIT Press,Cambridge, MA, USA, 1995.

[8] Goldman, R. and M. Boddy, Expressive planning and explicit knowledge, in: Proceedingsof AIPS’96), 1996, pp. 110–117.

[9] Halpern, J., R. van der Meyden and M. Vardi, Complete axiomatizations for reasoningabout knowledge and time, SIAM Journal on Computing 33 (2004), pp. 674–703.

[10] Horn, A., Dynamic epistemic algebra with post-conditions to reason about robotnavigation, in: L. Beklemishev and R. de Queiroz, editors, Proceedings of WoLLIC’11,LNCS 6642 (2011), pp. 161–175.

[11] Hoshi, T., “Epistemic Dynamics and Protocol Information.” Ph.D. thesis, Stanford(2009).

[12] Hughes, G. E. and M. J. Cresswell, “A New Introduction to Modal Logic,” Routledge,1996.

[13] Levesque, H. J., R. Reiter, Y. Lesperance, F. Lin and R. B. Scherl, GOLOG: A logicprogramming language for dynamic domains, Journal of Logic Programming 31 (1997),pp. 1–3.

[14] Meyer, J.-J. C., W. van der Hoek and B. van Linder, A logical approach to the dynamicsof commitments, Artifitial Intellegence 113 (1999), pp. 1–40.

[15] Michie, D., Machine intelligence at edinburgh, in: On Machine Intelligence, 1974 pp.143–155.

[16] Moore, R., A formal theory of knowledge and action, in: J. Hobbs and R. Moore, editors,Formal Theories of the Commonsense World (1985), pp. 319–358.

[17] Panangaden, P., C. Phillips, D. Precup and M. Sadrzadeh, An algebraic approach todynamic epistemic logic, in: Proceeedings of Description Logics’10, 2010.

[18] Panangaden, P. and M. Sadrzadeh, Learning in a changing world, an algebraic modallogical approach, in: AMAST’10, 2010, pp. 128–141.

[19] Parikh, R. and R. Ramanujam, Distributed processes and the logic of knowledge, in:Proceedings of Conference on Logic of Programs (1985), pp. 256–268.

[20] Plaza, J. A., Logics of public communications, in: M. L. Emrich, M. S. Pfeifer,M. Hadzikadic and Z. W. Ras, editors, Proceedings of the 4th International Symposiumon Methodologies for Intelligent Systems, 1989, pp. 201–216.

[21] van Benthem, J., J. Gerbrandy, T. Hoshi and E. Pacuit, Merging frameworks forinteraction, Journal of Philosophical Logic 38 (2009), pp. 491–526.

[22] van der Hoek, W., N. Troquard and M. Wooldridge, Knowledge and control, in: S. Tumer,Yolum and Stone, editors, Proceedings of AAMAS’11, 2011, pp. 719–726.

[23] van Ditmarsch, H., W. van der Hoek and B. Kooi, Dynamic epistemic logic withassignment, in: Proceedings of AAMAS’05, 2005, pp. 141–148.

[24] van Ditmarsch, H., W. van der Hoek and B. Kooi, “Dynamic Epistemic Logic,” (SyntheseLibrary), Springer, 2007, 1st edition.

[25] Wang, Y. and Q. Cao, On axiomatizations of public announcement logic (2012),manuscript under submission.

Documents

Not All Those Who Wander Are Lost: Dynamic Epistemic ... · 560 Not All Those Who Wander Are Lost: Dynamic Epistemic Reasoning in Navigation Sometimes, it is more important to reach